[wp-hackers] Author URLs expose usernames

Muhammad Ali mjsafoxy at gmail.com
Wed Jul 18 20:39:30 UTC 2012


Short answer (must sleep), I used to use .htaccess and .htpasswd to secure
the wp-admin directory. If you so please. I would advise also using a
captcha login page plugin of some time.


On 18 July 2012 18:52, Otto <otto at ottodestruct.com> wrote:

> On Tue, Jul 17, 2012 at 11:13 PM, Tom Barrett <tcbarrett at gmail.com> wrote:
> > The main issue is exposing the username, passing an author id in the url
> is
> > just an easy way to find it.
>
> Exposing the username isn't the issue. The username isn't secret, nor
> should it need to be.
>
> The issue is allowing brute-force attacks to be carried out against
> your site, and having passwords that can be brute-forced to begin
> with.
>
> Consider the case where the username would be considered "secret". A
> brute-force attack would now have to work against both the username
> and the password. This is mathematically equivalent to knowing the
> username and just making the password roughly twice as long.
>
> However, it's not really equivalent, because while security
> professionals have been saying to make your passwords hard for
> decades, they have not been saying to make your usernames hard as
> well. Usernames are more likely to be all lowercase, for example. It's
> easier to brute-force a username than to brute-force a password,
> basically. So hiding the username isn't adding a whole lot of extra
> security to this particular attack-vector. Making the password more
> complex or longer adds a ton more security.
>
> What's more, usernames themselves are generally *known* anyway. Most
> modern systems don't even have usernames, they simply use the email
> address as the username. The real security is in the password and the
> difficulty therein.
>
> If you want to stop this sort of thing, attack the real problems. Stop
> the brute-force attacks from working at all by using a plugin like
> Limit Login Attempts
> (http://wordpress.org/extend/plugins/limit-login-attempts/) or enforce
> a good-password policy to begin with. Hiding the username just changes
> the attack vector, and stops it for a limited time, until they adapt
> to it. It doesn't actually solve the underlying problem.
>
> -Otto
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>


More information about the wp-hackers mailing list